Sponsored by..

Showing posts with label SoftLayer. Show all posts
Showing posts with label SoftLayer. Show all posts

Thursday 29 October 2015

Malware spam: "Documents for Review and Comments" / Pony / eyeseen.net

This fake document scan email has a malicious attachment:

From:    Sarah [johnson@jbrakes.com]
Date:    29 October 2015 at 08:27
Subject:    Documents for Review and Comments

Hi Morning,

Attached are the return documents.

Call me if you need anything.

See you soon. :)


Sarah
The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.

According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:

eyeseen.net/swift/gate.php

This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.

The payload is Pony / Fareit, which is basically a password stealer.

MD5s:
25a322b9ea5c709c4376bf58527f198a
efc7210f7dbce441f74e3c9f07f28a2e
79ca99c3f751ae334d0340284242e4f6